A Guide to Data Security
Contents 01 Card data breaches are real
02 What is the Payment Security Standard?
03 How do I adhere to this Security Standard?
04 How do I maintain data compliance?
05 How do I protect my business?
06 Here to safeguard
07 Who’s who in the Payment Card Industry?
08 Providing a compliant framework for the GDPR
09 Here to help
01
Card data breaches
are real
Reports of data breaches in the media are on the rise. Cardholder data is extremely valuable and hackers are capitalising on this demand.
The growth in identity theft and thieves impersonating cardholders means businesses need to be more vigilant in protecting their business.
A data breach means a business could suffer:
• Loss of sales
• Brand reputational damage
• Fraud losses
• Legal costs, settlements and judgments
• Fines and penalties
• Termination of ability to accept payment cards
• Termination of jobs (Chief Information Security Officer, Chief Executive Officer and dependent professional positions)
• Going out of business
A single credit card is
worth up to $100 on
the black market*
which is why large
databases or unsecure
small businesses are a
prime target for
hackers
*Symantec Internet Security Threat Report, 2017
In 2016, 40%
of information lost in
data breaches was
Personal Financial
Information, including
credit or debit card
details or banking
financial records.*
02
What is the
Payment Security
Standard?
The Card Brands, namely; Visa, Mastercard, JCB, Amex and Discover) developed the Payment Card Industry Data Security Standard (PCI DSS) which recommends best practice methods for card data security.
The standard applies to all businesses wherever they are, who store, process or transmit cardholder data.
PCI DSS can also help provide a framework to help businesses comply with data security requirements within the General Data Protection Regulation (GDPR), the new EU directive. The PCI DSS is concerned with cardholder data, whereas the GDPR regulates all personal data.
Businesses must be compliant with the standard or face severe fees and fines from Card Brands and Data Protection authorities in the event of a data breach.
03
How do I adhere
to this standard? PCI DSS applies to all the technical and
operational system components that
process, store or transmit cardholder
data.
This means your instore card payment
terminals, tills, networks, payment
processes, and if you sell online, your
local area and wide area network,
phone lines and gateway, are all in
scope for the standard.
Goals PCI DSS Requirements
Build and Maintain a
Secure Network
1. Install and maintain a firewall configuration to
protect cardholder data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder
Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across
open, public networks
Maintain a
Vulnerability
Management
Program
5. Use and regularly update anti-virus software or
programs
6. Develop and maintain secure systems and
applications
Implement Strong
Access Control
Measures
7. Restrict access to cardholder data by business need
to know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
Regularly Monitor
and Test Networks
10. Track and monitor all access to network resources
and cardholder data
11. Regularly test security systems and processes
Maintain an
Information Security
Policy
12. Maintain a policy that addresses information
security for all personnel
04 How do I maintain
PCI DSS compliance?
PCI DSS aims to reduce card fraud
by ensuring that cardholder data is
protected through a 360º approach
to security.
Payment Security needs to be a
continuous process, not just an
annual check.
Assess
Identify cardholder data,
take an inventory of IT
assets and business
processes for payment
card processing, and
analyse them for
vulnerabilities.
Remediate
Fix vulnerabilities and
eliminate the storage of
cardholder data unless
absolutely necessary.
Report
Compile and submit the
necessary reports to
Elavon
05 What do I need
to do for my business
set up?
Your business will fall into one of four
levels based on the number of Visa or
Mastercard transactions processed over a
12 month period.
The volume of transactions you process
indicates what level your business is and
what validation is needed.
Level Criteria Validation
1
Any merchant processing over 6
million Visa or Mastercard
transactions per year, has suffered a
data breach, or identified as Level 1
by another card brand.
Annual on-site review by a
Qualified Security Assessor and a
passing network scan by an
approved scanning vendor (ASV)
if applicable.
2
Any merchant processing 1 million
to 6 million Visa or Mastercard
transactions per year.
Annual Completion of a Self-
Assessment Questionnaire (SAQ)
and a passing network scan with
an ASV scan (if applicable).
3
Any eCommerce merchant
processing 20,000 to
1 million Visa or Mastercard
eCommerce transactions per year.
Annual completion of an SAQ
and a network scan with a
passing ASV scan (if applicable)
4
Any merchant processing less than
20,000 eCommerce transactions per
year and all other merchants
processing up to 1 million
transactions per year, regardless of
acceptance channel.
Annual completion of an SAQ
and a network scan with a
passing ASV scan.
06 Here to protect
Track and monitor PCI DSS compliance programmes
Level 1-4 customers - as an acquirer, we need to
ensure that you attest to and maintain PCI DSS
compliance so we can accurately report this to the Card
Schemes
Customer and Colleague Support - we offer personal
consultancy to our corporate customers, working
together to understand your business and individual
PCI DSS compliance plans. Our small to medium
enterprise customers, can choose from a managed
service or self service offering using our compliance
portal to complete your PCI DSS validation
Industry and Expert Knowledge – You will have
access to a large pool of security talent and PCI
Qualified Security Assessors as well as data security
experts who can support you in your payment card
security needs
Whatever your level, complexity or
size of business or wherever you are
on your payment security journey,
Elavon and it’s trusted partners can
assist you.
07 Who’s who in the
Payment Card
Industry?
Acquirers must notify their customers about PCI
DSS and their responsibilities. They also gather PCI DSS
status information from customers and report this to Card
Schemes.
Card Schemes are responsible for programmes that you
must comply with. They receive card data directly from
the acquirer, not the merchants.
Qualified Security Assessors (QSA) help (customers
reach PCI DSS compliance, can assist in SAQ completion
by providing technical guidance. They will also help scope,
audit and produce a Report on Compliance to confirm
your compliance status.
Approved Scanning Vendors (ASV) conduct PCI Security
Scans over the internet which help identify vulnerabilities
within web sites, applications and information technology
(IT) infrastructures.
The Payment Card Industry Security
Standards Council (PCI SSC) is the
governing body who writes and
maintains the PCI DSS
You are required to submit a Report
on Compliance (ROC) or Self
Assessment Questionnaire (SAQ)
yearly to your acquirer(s).
08 PCI DSS as a
framework for the
GDPR Data Security
The General Data Protection Regulation (GDPR) becomes
law in all EU countries in May 2018. So if your business Goals Requirements
Build and Maintain a
Secure Network
1. Install and maintain a firewall configuration to
protect PERSONAL data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder
Data
3. Protect stored PERSONAL data
4. Encrypt transmission of PERSONAL data across
open, public networks
Maintain a
Vulnerability
Management
Program
5. Use and regularly update anti-virus software or
programs
6. Develop and maintain secure systems and
applications
Implement Strong
Access Control
Measures
7. Restrict access to PERSONAL data by business
need to know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to PERSONAL data
Regularly Monitor
and Test Networks
10. Track and monitor all access to network resources
and PERSONAL data
11. Regularly test security systems and processes
Maintain an
Information Security
Policy
12. Maintain a policy that addresses information
security for all personnel
All businesses that trade within the EU or
have parts of your business located
within the EU are subject to the GDPR.
Failure to demonstrate adequate security
controls and other GDPR infringements
can mean that businesses will be liable
for fines of up to £20m or 4% of turnover
(whichever is greater).
Additional information on GDPR:
http://ec.europa.eu/justice/data-protection/index_en.htm
PCI DSS is a logical structure to approach GDPR
compliance for Data Security.
09 Here to safeguard
It is your responsibility to become
PCI DSS compliant but it’s ours to
support you where we can.
Whether you are fully compliant with
the PCI DSS, are working towards
compliance, or even if you have never
heard of the PCI DSS before, we can
help you through the next steps.
What do I need
as a merchant?
Next step
Levels 1-3
Next step
Level 4
“I have never
heard of PCI DSS
compliance and I
am not aware of
my
responsibilities.”
Please contact your Elavon
Payment Data Security
Consultant who will assist you
through the process.
Email: [email protected]
Please contact your Elavon Sales
representative or email:
helpdesk@elavonsecuritymanage
r.com
“I am/we are
working towards
PCI DSS
compliance”
Please forward evidence of
your progress to your Elavon
Payment Data Security
Consultant for review.
Email: [email protected]
Logon to your Secured by Elavon
dedicated portal and update your
details to reflect your current
status
www.elavonsecuritymanager.com
“My business is
fully PCI DSS
compliant”
Please forward evidence of
your compliance status that
meets the Level validation
requirements to your Elavon
Payment Data Security
Consultant for review.
Email: [email protected]
Upload your Attestation of
Compliance to the Secured by
Elavon portal
www.elavonsecuritymanager.com
Please contact us for further information on PCI DSS compliance
and data security:
Here to safeguard
Level 4 Businesses Level 1-3 Corporates
UK
0330 808 3301
elavon.co.uk/security
Ireland
Ireland
1850 887 077
elavon.ie/security
UK
Ireland
Report an Incident:
UK: 01923 651 622
IRE: 0402 25 322
Elavon Financial Services DAC Registered in Ireland with Companies Registration Office (Reg. No. 418442). Registered Office: Building 8
Cherrywood Business Park, Loughlinstown, Dublin, D18 W319, Ireland. Registered in England and Wales under the number BR009373.
The liability of the member is limited. Elavon Financial Services DAC, trading as Elavon Merchant Services, is regulated by the Central Bank
of Ireland. United Kingdom branch is authorised by Central Bank of Ireland and the Prudential Regulation Authority and subject to limited
regulation by the Financial Conduct Authority and Prudential Regulation Authority. Details about the extent of our authorisation and
regulation by the Prudential Regulation Authority, and regulation by the Financial Conduct Authority are available from us on request.